Phishing your own company

Phishing is the practice of sending emails, usually presenting yourself as a reputable source, in the hopes of the recipient revealing personal information which will lead to leverage or access to accounts/finances. It’s a malicious attack that requires nothing but your email, that is only becoming more frequent and more effective.

This email related to the Hillary Clinton email scandal is an almost perfect phishing example. The email requires an urgent response, and it looks like a genuine google email. The only difference is the email address. The legitimate email would be no-reply@accounts.google.com.

The only other hint is the subject. “Someone has your password” is very informal and intends to scare the user into hurrying through the email. It differs from the usual “Security alert” sent by google.

These small details will go unnoticed by many people, which could easily lead to a breach without the proper precautions. This could be devastating for individuals, and more so for companies.

There aren’t many steps you can take as an individual, apart from being wary with any email that leads to you sending personal data. These steps would include general good online security, such as two factor authentication and unique passwords for different sites.

An option companies now have is to trial their company’s alertness of such phishing emails by simulating them. A company would send out a phishing email, that collects data on what the affects would have been if the phishing attempt was real. This can benefit a company far more than the traditional internet security methods. It presents a more practical approach to the problem, which accomplishes a lot more than older options like a multiple-choice quiz to test “online safety”.

The simulations can return clear statistics on the effect phishing emails can have on your company. It can give the percentage of workers who opened the email, clicked the link and sent company details. This gives you information on where worker knowledge is lacking and how much of a priority internet security should be. It can also help single those out who need to be provided training.

Probably the most important result is it keeps workers on the lookout. Knowing that these fake emails are somewhere in their inbox raises awareness of messages asking for credentials. And at the end of the day this succeeds at the goal phishing simulations try to achieve.

Such a process may find you questioning how information is passed in your company, how authentication is carried out and who has access to what data. These questions are healthy to ask and are more important than ever in the modern tech dependent workplace.